How much of VLAN asa 5505 security plus support

Hello guys. I have asa 5505 Adaptive Security more. and I have only 3 VLAN. outside, inside, restricted DMZ.

If it works well, but I want to connect my inside another private network, so please can someone help me out here. or I have to buy a license.

and how can I activate the license key

Thank you very much


Here is the explanation since I have no idea about your topology.

The devices allowed for this platform:

The maximum physical Interfaces: 8

VLAN: 3, restricted DMZ

Inside guests:10

Failover: disabled

VPN - A: enabled

VPN-3DES-AES: enabled

Peer VPN: 10

WebVPN peers: 2

Double ISP: disabled

Junction ports VLAN: 0

This platform includes a basic license.

Here is an example of the license feature set more security:

The devices allowed for this platform:
The maximum physical Interfaces: 8
VLAN: 20, unrestricted DMZ
The hosts on the inside: unlimited
Failover: Active / standby
VPN - A: enabled
VPN-3DES-AES: enabled
VPN peer: 25
WebVPN peers: 2
Two Internet service providers: enabled
VLAN Trunk Ports: 8

This platform includes an ASA 5505 Security Plus license.

No explanation for DMZ limited.

  • Only 10 of the hosts in the DMZ and LAN combined may contacted outside interface at any time.
  • Only 2 VLAN fully functional (inside and outside generally) are allowed.  The 3rd VLAN, usually a demilitarized zone can only be activated with the command 'no attacking vlan n'that prevents connections to one of the other VLANS, usually inside

Just in case where if you have basic servers then put inside dmz connections do not allow. If you have more security then should not be any problem. As you mentioned on the IP ranges vlan if all belong to the inside and then connecting with outside shouldn't be a problem.

Thank you


Tags: Cisco Security

Similar Questions

  • ASA 5505 Security Plus license question

    Hi all!

    I have an ASA 5505 that I test with first entered with the Security Plus license. Recently, I erased flash and loaded the latest version of asa841 - k8.bin of IOS with asdm - 642.bin. Everything starts very well and came as he does so freshly however I noticed that I was now running only a basic license. If I run the sh key activation order, I noticed the following messages (exit complete is downstairs):

    The activation key running is not valid, using the default


    This platform includes a basic license.


    Unable to retrieve the activation key permanent flash

    I somehow kill my Security Plus licenses when I did the flash erase? If yes how do I to get it back?

    Thank you!!!


    ciscoasa # sh - activation key

    Serial number: JMXXXXXXHU

    Activation key permanent running: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

    The activation key running is not valid, using the default settings:

    The devices allowed for this platform:

    The maximum physical Interfaces: 8 perpetual

    VLAN: 3 restricted DMZ

    Double ISP: Disabled perpetual

    Junction VIRTUAL LAN ports: perpetual 0

    The hosts on the inside: 10 perpetual

    Failover: Disabled perpetual

    VPN - A: enabled perpetual

    VPN-3DES-AES: disabled perpetual

    AnyConnect Premium peers: 2 perpetual

    AnyConnect Essentials: Disabled perpetual

    Counterparts in other VPNS: 10 perpetual

    Total VPN counterparts: 25 perpetual

    Shared license: disabled perpetual

    AnyConnect for Mobile: disabled perpetual

    AnyConnect Cisco VPN phone: disabled perpetual

    Assessment of Advanced endpoint: disabled perpetual

    Proxy UC phone sessions: 2 perpetual

    Proxy total UC sessions: 2 perpetual

    Botnet traffic filter: disabled perpetual

    Intercompany Media Engine: Disabled perpetual

    This platform includes a basic license.

    Unable to retrieve the activation key permanent flash.

    The permanent activation key flash is the SAME as the key permanent running.

    Hi Ken,

    If you know what the license and activation for your security key, you can simply re - install it with the command "activation key" from the global configuration mode.

    If you have lost the key, you'll want to open a support case to get it retrieved.

    Hope that helps.


  • HOW connection NAT on ASA 5505

    Hello guys

    first of all, thank fully any community of cisco, they helped me a lot withouth expert and University...

    Today, I have some question on NAT

    We HAVE site-to-site VPN, his job very well.  our company demand of patern to use the public Ip address instead of the ip address private field of encryption. and they said, you have to NAT for you the private to the PUblic ip address. really, we don't know how NAT for cisco ASA 5505.



    OUR PUBLIC IP ADDRESS: 155.155.1555.20


    Thank you very much

    If you have 1 public IP address and it is assigned to your ASA outside interface, then you need to configure static PAT (you will need to know what exactly they want to access and configure the specific port they need).

    However, if you have a free public IP address, then you need not to know exactly what they need to get to and you can configure the linux server using the public IP to spare.

    Also, they need access to the linux server using public IP via the VPN tunnel (encrypted)? or they are happy to access only via the internet (clear text)?

  • How many interfaces in asa 5510

    can someone pls tell me how many interfaces in asa 5510.and we can add more interfaces to it.



    Hi assane,.

    When you order the ASA5510, you can choose between (option Setup/Noo-Noo fixed to add more ports interface):

    1 ASA5510 device comes with 3 x FastEthernet, more 1xmanagement port (FastEthernet)

    ASA5510-BUN-K9: Cisco ASA 5510 Firewall Edition includes 3 Fast Ethernet interfaces, 250 peers IPSec VPN, SSL VPN 2 peers 3DES/AES license, or

    2 ASA5510 comes with 5xFastEthernet, most 1xmanagement port (FastEthernet).

    Cisco ASA 5510 Security Plus Firewall Edition includes 5 interfaces Fast Ethernet, 250 VPN IPSec peers, 2 peers of SSL VPN, high availability active / standby, 3DES/AES license



  • ASA 5505 Licensing / clarification of encryption


    I have an ASA 5505 Security more than licenses.  The specific entry, that I focus on when I do a 'show' version is:

    AnyConnect Premium peer: 25 perpetual
    AnyConnect Essentials: 25 perpetual

    For my IPSEC IKEV2, I have:

    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha512
    Group 21
    FRP sha512
    seconds of life 10000

    Bringing a L2L VPN, I'm able to establish IPSEC/IKEV2 with DH group 21 without problem.
    But when I try to connect a remote client with Cisco Anyconnect, I get the following message:

    An IKEv2 remote access connection failed. Attempt to use an encryption without an AnyConnect Premium license of NSA Suite B (Group ECDH) algorithm.

    After research, I see that 19 Diffie-Hellman groups + are considered Next Gen NSA algorithms.  I guess that I don't have the correct license to support this with the AnyConnect client, so I edited my police ikev2 as follows:

    IKEv2 crypto policy 1
    14 21 group

    My problem is that I still get the same error.  Shouldn't the low AnyConnect - negotiate to group 14?  And shouldn't the L2L negotiate at the highest possible, group 21?

    All advice is appreciated.

    When you have licenses for AnyConnect Essentials and premium as ASA you must choose one or the other type for all customers AnyConnect.

    We see it in general where a customer started with the Essentials license, then later added Premium. When you do this, you must set up "no anyconnect essentials" in order to use features that require the level of Premium license.

    All Essentials customers should continue to work in your case, since the number of authorized users is equal on both types of licenses. On larger devices, licenses Premium can be less CALs Essentials since the former is sold by number of users (and can get very expensive on the larger machines because they are potentially 1000s of users) and the second is a relatively good cheap license which covers all of the device according to its material capacity.

    On the 5505 maximum capacity is 25 and you have same number already registered for the premium. (The premium SKU license available for this platform are 10 and 25).

  • SCP behind the ASA 5505 may not help ping an internet address,.

    There must be a problem of ACL configuration.  How to configure the ASA 5505 so that computers

    behind an internet can ping such IP address or

    Thank you


    If you have no ACLs on the external interface, please use the following command to allow ICMP through the ASA.

    fixup protocol icmp.

    So try and ping. Let me know if this helps.

    Also, please give us a little more in detail so that we can understand and help you better

    See you soon,.


  • has wanted to know how much it will cost me for an upgrade of RAM?

    I own macbook pro md101. I wanted to improve my mac from 4 GB to 8 GB RAM. how much it will cost me the apple support in bangalore, India?

    Before speaking in Bangalore, see if there is a MacSales (OWC) or in India.   Theses people would also ship to the India and are generally less expensive than Apple.   Make sure that you give them full details of your machine when you contact them.

  • RAM how much my MacBook Pro support?

    Hello fellow Mac users,.

    I want to upgrade my MacBook Pro, but I don't know how many RAM slots it has and how much and what kind of RAM it supports.

    Could someone get me noticed?

    Thanks in advance!

    MacBook Pro

    Model: MacBookPro 8.1

    Processor: Intel Core i5

    Processor speed: 2.4 GHz

    processor #: 1

    Total carrots #: 2

    (By heart) L2 cache: 256 KB

    L3 cache: 3 MB

    (Vivid RAM) memory: 4 GB

    Boot ROM version: MBP81.0047.B2C

    SMC-version (System): 1.68f99

    SerialNumber (System): C0 * V13

    Material-UUID: *.

    < personal information under the direction of the host >

    Here you can get detailed information about RAM on MacBook. MacBook Pro: how to remove or install memory - Apple Support

  • Need SSL for ASA 5505 10 license with basic license - security plus license is necessary?

    A salesman told me that one of my clients needs an upgrade to a security plus license before he can ask 10 SSL VPN licenses. I travelled the Cisco's Web site and could not find anything about it either, saying that. Nobody knows what it takes to go? Thank you.

    I never installed them on a non - ASA SecPlus, but the documentation clearly indicates that it is supported:

    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:

  • VLANS with Cisco ASA 5505 and non-Cisco switch

    I have an ASA5505 and a switch Netgear GSM7224 L2 that I try to use together.  I can't grasp how VLANs (or at least how they should be put in place).  When configuring my VLAN on the ASA5505 it seems simple enough, but then on my switch, I thought I'd create just the same VLAN numbers that I used on the SAA and then add the ports that I wanted to use for each VLAN.

    Currently on my ASA, I have the following VLAN configured...

    outside - vlan11 - Port 0/0

    inside - vlan1 - Port 0/1

    dmz_ftp - vlan21 - Port 0/2

    Port of Corp - vlan31 - 0/3

    I need to do the same thing on my switch as well...  On my way, I'm a little confused as to how I need to configure the VLAN.  Below is the screenshot of web GUI...

    Note: Normally you can now change the VLAN ID (red), but in this case the default vlan (vlan id 1) may not be changed or deleted, you can does not change its settings.

    Tagged (green), Untagged (purple) and Autodetect (yellow) you must select at least 1.  I'm not sure how to in one place to tell my inner vlan (vlan1).

    I want VLAN1 ports 1-8 on my Netgear switch used alone to talk to interface/0/1 on the ASA5505 port.  I don't want to NOT port 9-24 able to talk to ports 1-8 on the Netgear switch ports OR 0/0, 0/2 - 0 / 7 on the Cisco ASA 5505.

    So, how can I configure my inner Vlan1 on ports 1-8 on the switch?  Do mark, UNTAG, autodetect them?  What about tours?  I've been a bit the impression that I would set up my VLAN on both devices, then trunk port 1 and dedicate this port on both devices to nothing other than the sheath and the security of vlan would then take the packages where they need to go.  Is this the wrong logic?

    Hi Arvo,

    If the port of the ASA is just part of a single VLAN (i.e. e0/0 single door 11 VLAN), this is called an access port. If the port of the ASA had to carry several VLANs, it would constitute a Trunk port.

    To access ports (VLAN unique), you must set the switch corresponding to be unidentified for port this VLAN individual. If you decide to configure a trunk port, then the port of the switch must be set for labelling for each of VLAN who win the trunk.

    For example, ASA I have:

    interface Ethernet0/1

    switchport access vlan 20


    interface Vlan20

    nameif inside

    security-level 100

    ip address

    With the above configuration, the configuration of the switch would look like this (assuming the e0/1 port of the SAA is connected to 0/1 on the switch):

    VLAN 20 - 0/1 = untagged

    If instead you use a trunk port, the config would look like this:

    interface Ethernet0/0

    switchport trunk allowed vlan 10,20

    switchport mode trunk


    interface Vlan10

    nameif outside

    security-level 0

    ip address dhcp setroute


    interface Vlan20

    nameif inside

    security-level 100

    ip address

    Assuming that the ASA e0/0 port is connected to 0/1 on the switch):

    VLAN 10 - 0/1 = tagged

    VLAN 20 - 0/1 = tagged

    Hope that helps.


  • How can I get the engine working in the ASA 5505 Crypto

    I bought a brand new ASA 5505 to connect to the Cisco 3640 and I can not yet set up the tunnel. I have tried to change the set of transformation to just but know luck. I recently put a VPN using DMVPN and Cisco 501 in a site-to-site, but it has been wondering what happens.

    The router (3640 executes code 12.4) seems ok and I don't think I have a problem with the router with Cisco 501 great work.

    This is a laboratory environment.

    This is the function defined on the ASA 5505

    The devices allowed for this platform:

    The maximum physical Interfaces: 8

    VLAN: 3, restricted DMZ

    Internal guests: 10

    Failover: disabled

    VPN - A: enabled

    VPN-3DES-AES: enabled

    Peer VPN: 10

    WebVPN peers: 2

    Double ISP: disabled

    Junction ports VLAN: 0

    AnyConnect for Mobile: disabled

    AnyConnect for Linksys phone: disabled

    Assessment of Advanced endpoint: disabled

    This platform includes a basic license.

    This is a ping from to He said nothing about IPSEC or ISAKMP.

    That's what I get when I do the: show crypto ipsec his

    ASA5505 (config) # show crypto ipsec his

    There is no ipsec security associations

    ASA5505 (config) # show crypto isakmp his

    There is no isakmp sas

    Debug crypto isakmp 10

    entry packets within the icmp 8 0 detail

    I have worked on it for a week and don't really know if I have a bad ASA5505. Since the normal stuff like browsing the Internet works and I can ping to the outside and inside, I don't know what to think. See attachments.

    "Do what you asked has worked.

    Nice to hear that your problem is solved.

    "My question is can I use the transform-set ESP-3DES-SHA instead of MD5?"

    Of course you can.

    Kind regards.

    Please do not forget to note the useful messages and check "Solved my problem", if the post has solved your problem.

  • How to accompany the IDS in ASA 5505 and 5520?

    Dear All;

    We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?

    Part number: Description QTY.


    ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES





    SF-ASA5505 - 8.2 - K8

    ASA 5505 Series Software v8.2



    Power supply cord Type C5 U.S.



    ASA 5500 license (3DES/AES) encryption



    ASA 5505 power adapter



    ASA 5505 10 user software license



    ASA 5505 hood SSC of the location empty



    ASA 5500 AnyConnect Client + Cisco Security Office software


    Part number: Description QTY.


    ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES



    SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES



    ASA 5520 VPN over 750 IPsec User License (7.0 only)



    Cisco VPN Client (Windows Solaris Linux Mac) software


    SF - ASA - 8.2 - K8

    ASA 5500 Series Software v8.2


    CAB - ACU

    Power supply cord (UK) C13 BS 1363 2.5 m



    Power supply ASA 180W



    ASA 5500 license (3DES/AES) encryption



    ASA 5500 AnyConnect Client + Cisco Security Office software



    ASA/IPS SSM hood of the location


    Thanks in advance.

    Rashed Ward.

    Okay, I was not quite correct in my first post.

    These modules - modules only available for corresponding models of ASA.

    They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.

    When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.

    When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.

    In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.

    To better understand, familiarize themselves with this link:

  • How can I get voice and data to work with the ASA 5505?

    Here's the issue I'm having.   Can I get a Cisco 7940 to work behind one site to another configured ASA 5505 and I can also get data to work behind it.  However, when I try to create a separate Vlan for voice and data, it does not work.  Our voice VLANs on our remote sites are 172.30 and data are 172.31, when I put the inside interface with 172.31 data will work and when I on it 172.30 voice will work.  I upgraded to a security more license and tried vlan3 created as voice.  I have the data to the top and work but I can't get vlan3 to work.   Any help would be greatly appreciated.  Thank you

    Here is my current config:

    hostname TESTvpn
    activate the password xxxxx

    passwd xxxxx

    username admin password xxxxx privilege 15

    name Corp_LAN
    name Corp_Voice
    name TESTvpn

    object-group network SunVoyager
    host of the object-Network
    host of the object-Network

    the Corp_Networks object-group network
    network-object Corp_LAN
    object-network Corp_Voice

    interface vlan2
    nameif outside
    security-level 0
    IP address dhcp setroute
    No tap

    interface vlan1
    nameif inside
    security-level 100
    No tap

    interface vlan3
    nameif Corp_Voice
    security-level 100
    No tap

    interface Ethernet0/0
    switchport access vlan 2
    No tap

    interface Ethernet0/7
    switchport access vlan 3
    No tap


    dhcpd allow inside
    dhcpd address - inside
    dhcpd dns interface inside
    dhcpd sun.ins area inside interface
    dhcpd allow inside

    enable Corp_Voice dhcpd
    dhcpd address - Corp_Voice
    dhcpd dns interface Corp_Voice
    dhcpd interface of sun.ins of the Corp_Voice domain
    enable Corp_Voice dhcpd
    dhcpd option 150 ip

    Enable logging
    exploitation forest buffer-size 10000
    monitor debug logging
    logging buffered information
    asdm of logging of information

    outside_access_in list extended access allow all unreachable icmp
    outside_access_in list extended access permit icmp any any echo response
    outside_access_in list extended access permit icmp any one time exceed
    access extensive list ip inside_access_in allow any
    inside_access_in list extended access allow icmp any
    Access extensive list ip Corp_Voice_access_in allow any
    Corp_Voice_access_in list extended access allow icmp any

    VPN access list extended deny ip object-group SunVoyager
    extended VPN ip access list allow any

    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Access-group Corp_Voice_access_in in the Corp_Voice interface

    Global 1 interface (outside)
    NAT (inside) 0-list of access VPN
    NAT (inside) 1

    Enable http server
    http inside
    http Corp_Voice
    http Corp_Voice
    http inside
    http outside
    SSH inside
    SSH inside
    SSH outside
    SSH timeout 20

    management-access inside

    dhcpd outside auto_config

    Crypto ipsec transform-set esp-3des esp-md5-hmac VPN
    crypto map outside_map 1 is the VPN address
    peer set card crypto outside_map 1
    card crypto outside_map 1 the value transform-set VPN
    outside_map interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    lifetime 28800

    tunnel-group type ipsec-l2l
    IPSec-attributes tunnel-group
    pre-shared-key xxxxx

    int eth 0/1
    No tap
    int eth 0/2
    No tap
    int eth 0/3
    No tap
    int eth 0/4
    No tap
    int eth 0/5
    No tap
    int eth 0/6
    No tap
    int eth 0/7
    No tap


    Note that access list names are case-sensitive, so you've actually done something different from what I proposed.

    Please do:

    no nat (Corp_Voice) 0-list of access vpn

    No list of vpn access extended permitted ip TESTvpn everything
    IP extended vpn access do not allow any list all

    extended VPN ip access list allow any

    NAT (Corp_Voice) 0-list of access VPN

    In the case where you did deliberately, for example to separate the 2 acl: note that acl VPN (upper case) is also used in the encryption card, where you cannot add a second LCD.

    So if you want to separate you, you will need 3 access lists:

    list of access data-vpn ip TESTvpn allow one

    voice-vpn ip access list allow any

    access-list all - vpn ip TESTvpn allow one

    access-list all - vpn ip allow any

    NAT (inside) 0-list of access vpn data

    NAT (Corp_Voice) - access list 0 voice-vpn

    outside_map 1 match address all vpn crypto card

    Don't know if this was also clearly to my previous message, I recommend you to replace the "all" (in each of the ACL lines) to something more specific (i.e. a remote network, or group of objects that contain the remote networks).



  • How to configure ASDM Cisco ASA 5505

    I have a Cisco ASA 5505 firewall, and currently it is a command-line firewall. I want to configure ASDM so that I can use it as a Web based GUI interface.

    I don't really know what to do. Can someone help me please how I can configure ASDM on my firewall.

    Kind regards

    Naushad Khan

    Hi Naushad,

    First of all, must load the image ASSDM on SAA and then use the command:

    ASDM image dosk0: / asdm645.bin (if the image name is asdm645.bin)


    Enable http server

    http inside (if your machine is subnet behind inside the inetrafce)

    Go to the machine, open a browser and type:


    It will open the GUI.

    Thank you


    Please evaluate the useful messages.

  • How to establish a tunnel vpn ipsec using DNS with ASA 5505?


    I m get a dynamic IP address public and what I m trying to do is establish a tunnnel remote vpn using IPSec, which I realize my provider but each time resets of sessions or ASA 5505 reset, I get a new public IP and I need to put the new IP address on the remote client, so I can establish the vpn...

    How can I establish a vpn ipsec using DNS?  For this scenario, the remote client vpn is a vpn phone, but it could be any vpn client.

    Private private Public IP IP IP

    PBX - Telephone (LAN) - ASA 5505-(Internet)-(router) Remote Site-(LAN) VPN-

    Kind regards!

    Ah ok I see, Yes in this case there is no that you can do other than request a static IP address from your ISP.

    Kind regards.

    PS: Don't forget to mark this question as answered. Thank you!

Maybe you are looking for